This repository contains terraform code to deploy a sample AWS Hub and Spoke architecture with an Inspection VPC using AWS Network Firewall. The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes.
- An AWS account with an IAM user with the appropriate permissions
- Terraform installed
- Writing DRY (Do No Repeat Yourself) code using a modular design pattern
- Clone the repository
- Edit the variables.tf file in the project root directory. This file contains the information used to configure the Terraform code.
Note EC2 instances, and AWS Network Firewall endpoints will be deployed in all the Availability Zones configured for each VPC. Keep this in mind when testing this environment from a cost perspective - for production environments, we recommend the use of at least 2 AZs for high-availability.
terraform initto initialize the environment.terraform planto check the resources to createterraform applyto build the architecture.
terraform destroywill clean-up the resources created.
The AWS Network Firewall Policy is defined in the policy.tf file in the network_firewall module directory. By default:
- All the SSH and RDP traffic is blocked by the Stateless engine.
- The Stateful engine follows Strict Rule Ordering, blocking all the traffic by default. Two rule groups allow ICMP traffic (between East/West traffic only), and HTTPS traffic to any *.amazon.com domain.
This project configures both the alert and flow logs to respective AWS Cloudwatch Log Groups (both for the VPC Flow logs and AWS Network Firewall logs). In VPC Flow logs, you can also use Amazon S3. In Network Firewall, you can also use Amazon S3, or Amazon Kinesis Firehose.
To follow best practices, all the logs are encrypted at rest using AWS KMS. The KMS key (alongside the IAM roles needed) is created using the iam_kms module.
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.